we do not load a user's profile because it could require user interaction. this would hang any unattended processes, eg a software deploy. using the rbac permissions you can very effectively limit what a user will be able to do on a target system, so typically we map to root at that point because they are only able to perform a limited set of commands, and those they can perform should be done as root.